From d1e8ff48c582a01d92c8e29d7c4b9e70d804d1ba Mon Sep 17 00:00:00 2001
From: DebaucheryLibrarian <DebaucheryLibrarian@unknown.name>
Date: Wed, 17 Jun 2026 00:23:03 +0200
Subject: [PATCH] Verifying abilities for admin panel access instead of relying
 on user role.

---
 pages/admin/actors/+onBeforeRender.js           | 7 +++++++
 pages/admin/revisions/actors/+onBeforeRender.js | 4 +++-
 pages/admin/revisions/scenes/+onBeforeRender.js | 4 +++-
 src/actors.js                                   | 2 --
 4 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/pages/admin/actors/+onBeforeRender.js b/pages/admin/actors/+onBeforeRender.js
index ae2e493..0b37898 100644
--- a/pages/admin/actors/+onBeforeRender.js
+++ b/pages/admin/actors/+onBeforeRender.js
@@ -1,6 +1,13 @@
+import { render } from 'vike/abort'; /* eslint-disable-line import/extensions */
+
 import { fetchActors } from '#/src/actors.js';
+import verifyAbility from '#/utils/verify-ability.js';
 
 export default async function onBeforeRender(pageContext) {
+	if (!pageContext.user || !verifyAbility(pageContext.user, 'actor', 'merge')) {
+		throw render(404);
+	}
+
 	const { actors } = await fetchActors({
 		query: pageContext.urlParsed.search.q,
 	}, {
diff --git a/pages/admin/revisions/actors/+onBeforeRender.js b/pages/admin/revisions/actors/+onBeforeRender.js
index 490e35e..083d33f 100644
--- a/pages/admin/revisions/actors/+onBeforeRender.js
+++ b/pages/admin/revisions/actors/+onBeforeRender.js
@@ -1,8 +1,10 @@
 import { render } from 'vike/abort'; /* eslint-disable-line import/extensions */
+
 import { fetchActorRevisions } from '#/src/actors.js';
+import verifyAbility from '#/utils/verify-ability.js';
 
 export async function onBeforeRender(pageContext) {
-	if (!pageContext.user || pageContext.user.role === 'user') {
+	if (!pageContext.user || !verifyAbility(pageContext.user, 'actor', 'update')) {
 		throw render(404);
 	}
 
diff --git a/pages/admin/revisions/scenes/+onBeforeRender.js b/pages/admin/revisions/scenes/+onBeforeRender.js
index 87e97fb..d62c686 100644
--- a/pages/admin/revisions/scenes/+onBeforeRender.js
+++ b/pages/admin/revisions/scenes/+onBeforeRender.js
@@ -1,8 +1,10 @@
 import { render } from 'vike/abort'; /* eslint-disable-line import/extensions */
+
 import { fetchSceneRevisions } from '#/src/scenes.js';
+import verifyAbility from '#/utils/verify-ability.js';
 
 export async function onBeforeRender(pageContext) {
-	if (!pageContext.user || pageContext.user.role === 'user') {
+	if (!pageContext.user || !verifyAbility(pageContext.user, 'scene', 'update')) {
 		throw render(404);
 	}
 
diff --git a/src/actors.js b/src/actors.js
index e3471f1..c32b687 100644
--- a/src/actors.js
+++ b/src/actors.js
@@ -447,8 +447,6 @@ async function queryManticoreSql(filters, options, _reqUser) {
 					builder.where('has_avatar', 1);
 				}
 
-				console.log('ACTOR OPTIONS', options);
-
 				if (options.order?.[0] === 'name') {
 					builder.orderBy([
 						{ column: 'actors.slug', order: options.order[1] },